
	Home > Ask the Security Experts > Network Security Questions & Answers > How to secure servers when implementing internal network applications

Ask The Security Expert: Questions & Answers

EMAIL THIS

How to secure servers when implementing internal network applications

EXPERT RESPONSE FROM: Mike Chapple, featured expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 25 September 2007
I have applications that can be publicly accessed in the DMZ. I need to install an application on the secured side of the network, but the application will need IIS installed on that server. If I do so, using internal IP addresses and not public ones, will IIS vulnerabilities expose my application? What do you advise?

BROWSE BY TAG

Network Security, DMZ Setup and Configuration, NAC and Endpoint Security Management, Enterprise Network Security, VLAN Security Management, Web Application and Web 2.0 Threats, Application and Platform Security, Web Security Tools and Best Practices, Web Server Threats and Countermeasures, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Network Security
	Should enterprises be running multiple firewalls?
	What are best practices for fiber optic cable security?
	What is the difference between a VPN and remote control?
	What are the disadvantages of proxy-based firewalls?
	What are the best practices for IPS implementation?
	How to prevent DDoS attacks on websites
	How to configure firewall ports for webmail system implementation
	Can S/MIME, XML and IPsec operate in one protocol layer?
	How should service providers address VoIP security issues and threats?
	How to set up a corporate cell phone management strategy

DMZ Setup and Configuration

How to set up a DMZ

How to configure firewall ports for webmail system implementation

When should a database application be placed in a DMZ?

How will many firewalls serving as the default gateway affect the DMZ?

Should a domain controller be placed within the DMZ?

If one server in a DMZ network gets attacked from outside, will the other servers be corrupted?

Should an ISP keep corrupted machines off of a network?

A security checklist: How to build a solid DMZ

How is internal mail channeled through an enterprise firewall?

Microsoft NAP-TNC compatibility won't speed adoption, users say

VLAN Security Management

Cloud, virtualization servers pose challenges for PCI compliance

How should service providers address VoIP security issues and threats?

How to build security into a virtualized server environment

Microsoft NAP-TNC compatibility won't speed adoption, users say

Hackers have knack for beating NAC systems

NAC helps aerospace firm's network blast off

Network Access Control Learning Guide

Using VLANs to compartmentalize WLAN traffic

RSA Conference 2006

Popular VLAN attacks and how to avoid them

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

DMZ (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

You're on the right track; the applications that require public access should be installed and placed in the DMZ. I'm inferring from your question that you want to offer private applications to users on the internal network, but you want to do so using the same server that provides public applications. I do not recommend this approach for two reasons:

Mixing public and private services on the same server exposes you to significant application-layer risk. A flaw in the public application, such as an SQL injection vulnerability, could expose data used by the private application, and no additional layer of control or protection would be provided.

Services used solely by internal users do not belong in the same DMZ that provides services to the general public. The purpose of the DMZ is to provide a layer of isolation between public and private services. Even if you install the private application on a separate server within the DMZ, you still run the risk of compromising the server that runs the public processes. If that type of corruption occurs, you could potentially have a compromised server living in the same security zone as the private server. If both servers reside in the DMZ, traffic between them would not be regulated by the firewall.

My recommendation would be to implement a fourth firewall zone, using a separate network interface card (NIC) on the firewall or virtual LAN (vLAN) technology. This fourth zone -- perhaps call it the "internal DMZ" -- would be for services that process private data and should be restricted to internal users only.

More information:

Learn how VLANs can compartmentalize WLAN traffic.

A demilitarized zone protects systems from an affected server, but enterprise users should not be placed in the DMZ. Mike Chapple explains where they belong.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy